This is highway robbery. Car companies are taking our personal data and our money, and drivers don’t have much choice but to hand it all over.

“Modern cars are a privacy nightmare,” concluded a report published last month by the Mozilla Foundation, which developed the Firefox browser and advocates for improved privacy protection online.

Most people understand by now, I hope, the idea that “if a service is free, you are the product.” Handing over personal data is the price we pay for using “free” services, such as Google search, Gmail or Facebook. These companies collect information about our online search history, locations, “likes” and social networks, and sell that information – aggregated, they say – to marketers and advertisers eager to influence our behaviour in myriad subtle and not-so-subtle ways.

If cars were free, it might not be so infuriating that automakers harvest so much highly sensitive data. Except cars aren’t free.

A new car costs an average of $66,000, 47 per cent more than four years ago. That car companies are also looking to make a buck off the data their cars harvest feels especially slimy. For $66,000, privacy should come standard.

New cars are like smartphones on wheels: they’re connected to the internet, hooked into your phone and apps, and various third-party services. Each automaker’s privacy policies are different, but can include permission to collect recordings of your voice, your photos, your fingerprints, information about your facial features and eyes, your driving habits and style, your social media accounts and even video recordings of crashes. (Elon Musk reportedly wanted to use Tesla’s in-car camera footage to prove driver error in the event of crashes involving its Autopilot system, according to Walter Issacson’s new biography of the Tesla chief executive officer.)

The Mozilla Foundation researchers spent 600 hours looking at the privacy policies of 25 major car companies and found all of them were “terrible.” In fact, cars were the worst product category these privacy researchers had ever studied. All 25 automakers earned Mozilla’s “Privacy Not Included” label.

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” the authors wrote.

Car makers can gather information through their websites, and through advanced in-car sensors and data recorders, microphones, cameras, GPS, connections to your phone and third-party apps like Google Maps and Spotify.

It’s worth noting that the Mozilla Foundation study looked at U.S. privacy polices, which differ slightly from their Canadian counterparts. In the United States, for example, Mozilla noted that Nissan gives itself permission to collect data on sexual orientation and sexual activity. But, in the company’s Canadian policy, there’s no mention of those things.

The Globe requested comment on the Mozilla report from the top five automakers in the country, and only Toyota responded. A spokesperson wrote that, “Toyota Canada meets or exceeds all existing privacy standards in Canada by delivering every vehicle we sell in ‘Privacy Mode’ to help ensure the protection of our customer’s personally identifiable information.”

The Mozilla researchers acknowledged in a public interview on Reddit that they don’t know what data car companies actually collect, or how exactly they harvest it. Just because a privacy policy grants permission to collect a particular piece of data doesn’t meant the company actually does. But, again, the lack of transparency is part of the problem.

And this problem isn’t going away. The revenue connected cars generate – through in-car purchases and services, or by selling data to third parties, for example – is expected to grow from tens of millions to hundreds of millions of dollars by the end of the decade, according to several estimates. Connected cars aren’t all bad of course; far from it. They allow for over-the-air software updates that could prolong a vehicle’s life, and they have the potential to make roads safer. But make no mistake; connected cars are becoming big business.

None of this should come as a surprise. Back in 2020, we reported on the reams of data connected cars could collect, and the situation hasn’t improved since then, according to Marina Pavlovic, an associate professor in the University of Ottawa’s Faculty of Law who specializes in consumer rights and privacy in the digital realm. Arguably, the situation has only gotten worse as more connected cars hit the road.

“There’s a consensus that the current legislative scheme that we have in [Canada’s Personal Information Protection and Electronic Documents Act] is not sufficient,” Pavlovic said. That legislation was introduced in 2000 and technology has come a long way since then. “There’s a consensus that we need reform, but where I think views may disagree is in terms of which way to go.”

Bill C-27, the Digital Charter Implementation Act, is supposed to be that legislative reform. It had its first reading in June, 2022, and is currently in committee. But the bill has been criticized for being inadequate and giving too much power to businesses as well as governments.

In addition to stronger legislative protection for consumers, Pavlovic suggested that car companies should have to disclose how often they receive and respond to requests by authorities for customers’ personal information. Some internet service providers like TekSavvy regularly disclose that information in public transparency reports.

Alternatively, if car companies offered steep discounts on vehicles that harvest data, consumers might feel they’re getting a fair deal. Car companies could have our money, or our data, but not both. (If I could get a free Mercedes in exchange for forking over my personal data, I’d probably be driving an S-Class tomorrow.) But that kind of scheme would never be lucrative enough for automakers to make it worthwhile. Besides, as Pavlovic says, “I’m leery of the world where you have to pay for your privacy.” And she’s right; that leads down a dystopian path.

Some of the privacy policies do have limited opt-out clauses. In the case of Tesla, however, the company states that opting out of vehicle data collection may result in your vehicle suffering, “serious damage, or inoperability.”

So, what is the solution? In much of the country, driving is not a choice but a necessity. At the moment, privacy advocates say, all people can do is understand what kinds of data are being gathered and sold, and object loudly to such overreach with the car companies. While a vehicle’s privacy policy probably won’t sway any purchasing decisions, drivers should know what they’re agreeing to, which is admittedly difficult when the policies are so vague and open-ended.

It’s time that both drivers and legislators treat cars like smartphones or any other digital device that devours and profits from personal information.

We still tend to think of cars as a private space. But those days are sadly gone.